With just a year to go before the deadline to comply with the EU General Data Protection Regulation (GDPR), many UK firms’ websites are capturing personal data insecurely, a study shows.

Download this free guide

The importance of web security

Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.

In the UK, the Information Commissioner has provided guidance that, in the case of data loss where encryption software has not been used to protect the data, regulatory action may be pursued.

The study revealed that 34% of web pages of FT30 firms that collect PII are doing so insecurely, 29% are not using encryption, 3.5% are using vulnerable encryptions algorithms, and 1.5% have expired security certificates.

While the insecure collection of PII is a violation of the GDPR, the study said the loss of personal data, profit and reputation resulting from the use of insecure forms is a legitimate concern for consumers and shareholders.

In addition to personal claim liability, Article 83 provides guidance on fines for GDPR faults, which start at €10m or 2% of global annual turnover for the preceding financial year, whichever is greater – or even double, depending on the infraction.

This applies to all companies actively engaging with European citizens, regardless of whether the firms have a physical presence in Europe.

The GDPR also requires companies to state clearly at the point of capture how they will use an individual’s data. Permission to use their data must be explicit and demonstrated through an action such as ticking a box – a significant departure from the “opt out” process most organisations currently have in place.

Bob Tarzey, analyst and director at Quocirca, said that although the RiskIQ research is focused on large UK companies, the findings are representative of all organisations.

“Many will already have the data security basics in place to comply with the regulations that precede GDPR,” he said. “However, GDPR has many additional requirements, especially around the way data is captured and processed. These include obtaining explicit opt-in from data subjects.

“Before an organisation can address GDPR, it needs to fully understand the extent of its online data-gathering activities. With enforcement of GDPR less than a year away, the time to act is now.”

The challenge for large, global organisations is the sheer volume and complexity of websites and web applications that need to be accounted for, not only for security purposes, but also for regulatory compliance, such as the GDPR.

“Thorough knowledge of an organisation’s web presence is crucial to steering clear of potential GDPR repercussions,” said Colin Verrall, RiskIQ vice-president for Europe, the Middle East and Africa.

“Our customers are using RiskIQ Digital Footprint to capture their full digital footprint and actively identify potential areas of non-compliance, including insecure data collection pages and forms.”

Verrall said this approach enables security and governance, risk and compliance teams to reduce an organisation’s attack surface and maintain compliance.

Information commissioner Elizabeth Denham called on businesses to see the benefits of sound data protection and act now to prepare for what she called “the biggest change to data protection law for a generation”.

1 comment

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy